Anthony Di BelloA security breach, or fraudster acting from
the inside, is expensive for any organization to endure - but such incidents
are especially expensive for the heavily regulated financial services
industry.

In addition to direct monetary losses from
an incident, breaches also create a significant hit to the trust an institution
enjoys. That lost trust causes customers to leave, and creates a loss in
confidence among partners and even regulators. The resulting customer churn is
expensive, as is the loss of confidence among regulators which can result in
more aggressive audits. It’s just human nature to look more closely following a
security incident. And then there’s the higher cost of business insurance that
follows a breach.

While
they’re naturally targets among cyber-thieves, financial services firms are
also very heavily regulated. Now, that’s no secret but it helps to highlight
why, in addition to mitigating the damage of attacks, financial services firms
should make sure they have solid incident response and e-discovery capabilities
in place. These capabilities - properly integrated with IT, IT security, risk
management, legal, HR, and business executives - should be on the ready to
respond to potential cases of system abuse, fraudulent transactions,
unauthorized, or repeated, access attempts to systems and applications, and
incidents involving customer financial data.

What
many people overlook is that there are quite a few regulations that require
these capabilities be in place. And if they don’t require it directly, their
mandates make them essential.

For
instance, the Payment Card Industry Data Security Standard (PCI DSS) is often
overlooked when it comes to e-discovery and incident response. However, as is
pointed out in this Information Law Group post, while PCI DSS
doesn't directly require an incident response capability, it certainly does
through the resulting requirements that are set, and now commonplace, among
merchants and their payment processors:

In
reality, however, a merchant's true obligations in a security breach situation
are dictated by the merchant agreement it has with a payment processor or
acquiring bank. Most modern merchant agreements will require the merchant
to comply with the operating regulations and security programs of the relevant
card brands. However, these contracts may also have additional duties
relating to incident response, including different reporting requirements,
audit rights and indemnification obligations.

If you are accepting a
certain volume of credit card payments chances are you are contractually required
to have adequate incident response capabilities in place.

Provide
reasonable assurance regarding prevention or timely detection of unauthorized
acquisition, use or disposition of the [company's] assets that could have a
material effect on the financial statements.[9]

Section 302 also specifically
identifies internal fraud as an event that would require disclosure by senior
management. Put simply, an adequate internal control structure must include
"controls related to the prevention, identification and detection of
fraud."

It’s not just those two,
albeit rather substantial, regulations that require financial services firms’
and others to have effective incident response and e-discovery capabilities in
place. There’s also the FTC’s Red Flag Rules designed to identify and
fight identity theft, as well as the Gramm-Leach-Bliley Act ‘s Notification Rule.

Each of these regulations, as
well as numerous others, make incident response and e-discovery capabilities essential.
In fact, there isn’t a financial services firm that doesn’t need to be able to
quickly find and provide documents necessary for GLBA or Red Flag rule
compliance for incidents involving privacy or potentially even fraud.

Of course, all of this is
easier written in a blog post than done. Like many things in life, success
requires the right combination of technology, people, and practice. We believe
Guidance Software provides the right technology for both e-discovery and incident response, so all you need to do is
make an incident response plan, put in in place, and test and practice - this
way when something unexpected occurs you’ll be ready.

Yet, most organizations don’t give it the
attention it deserves. Here’s why it’s hard, and what you can do to do it
right.

When we talk about protecting enterprises
from attack, we are really talking about protecting our data. After all, it is
the data that is so heavily regulated. It’s data - when comprised - that causes
breach notifications. And it’s that valuable data that one ultimately doesn't
want to fall into the wrong hands.

So it’s surprising why so few companies -
companies that spend so much capital and effort on security technologies to
defend their networks - actually seek to know where their sensitive,
confidential, and regulated data reside. Perhaps it’s because they don’t see
the real value in doing so. Perhaps it’s because the process has proven to be
insurmountable at some point in the past. Regardless of the reason: it’s a
serious oversight.

Why? First consider the benefits of understanding sensitive data location. Understanding and controlling the location of sensitive
data can help to significantly reduce risk as that data can be consolidated
into fewer data stores as it’s identified. It can also help streamline data
leak prevention deployments, help with litigation readiness, (for data
disclosure requests) and can improve data retention policies. So why isn't it
being done?

Part of the challenge is that auditing
endpoint data, without the right tools, isn't ;easy. First, many of the tools
require that endpoint data be fully indexed before it can be searched. That’s
just ludicrous today, as the process will take weeks, if not a month or more to
complete. With the velocity at which data moves today, the locations and nature
of the data will change before the indexing process is even completed. Not to
mention that much of the data will be on highly-mobile notebooks. Additionally,
unstructured data is a big challenge for most tools. This includes finding data
in emails, attachments, and local files.

Also, policies alone, without technological
enforcement, isn’t enough. Users will always find a way to bypass policies that
aren’t monitored and enforced either accidentally or intentionally. So sensitive
data discovery technology should also provide remediation: it’s the only way to
deliver critical enforcement capabilities to ensure sensitive data is not
anywhere against your data policies.

Despite these difficulties, endpoint data
classification is something that must be done. Not only because having
sensitive data scattered about significantly increases risk exposure, as well
as the costs associated with eDiscovery requests - but it’s also a requirement
among many regulations. Some of those include Nevada’s Security of Personal
Information Law (NRS 603.A), the Health Insurance Portability and
Accountability Act (HIPAA), and the Payment Card Industry Data Security
Standard (PCI DSS).

For these regulations, and for un-regulated
confidential data, the ability to discover sensitive data on endpoints is
crucial for reducing the risk and costs of incidents, remaining compliant, and
enforcing policies to avoid mishaps and regulatory findings. When looking for a
solution, there are certain requirements you need consider:

Broad Encryption support

Broad OS support

Ease and Flexibility of deployment and configuration

Forensic-grade visibility

Review capability

Policy enforcement mechanism

Integration with other systems

EnCase Cybersecurity enables organizations
to find sensitive intellectual property, personally identifiable information,
and classified data on endpoints. Also, with disk-level and volatile RAM search
ability, EnCase Cybersecurity can target and locate sensitive data wherever it is stored - even if it has already been deleted. Additionally, organizations can target
data based on self-defined and pre-defined criteria. Then, when critical data
is found in unauthorized areas, the data can be collected to a central
repository if needed and then removed in such a way as to be unrecoverable.
This way risk is not only instantly reduced, but policy is also continuously
enforced going forward as employees will know that endpoint data policy
violations will be identified, and won’t be tolerated.

There’s no doubt that endpoint data
identification and auditing will be a challenge for some time to come. If you’d
like to learn more, you’re invited to watch the on-demand webinar Dude, Where’s My
Data – Finding & Securing Sensitive Data, which provides more
detail on the challenges of endpoint data auditing and identification, and how
EnCase Cybersecurity will help.